samba - Jul 2006 - samba 3.0.22 default ACL issue

Hi,

I use samba 3.0.22 as PDC on Debian with workstations under windows XP 
SP1 and SP2.
I use ACLs to have a fine grained access rules.

When I copy a directory from a client to a samba share, default ACLs are 
forgiven.
exemple : after I copy the directory A on the samba share :
getfacl A/
# file: A/
# owner: user1
# group: sambausers
user::rwx
group::---
other::---
default:user::rwx
default:group::---
default:other::---

But the parent directory has default ACLs, I can prove it :
getfacl .
# file: .
# owner: user1
# group: sambausers
user::rwx
user:root:rwx
user:bacula:r-x
group::---
group:sambaguests:rwx
group:User_Standard:rwx
group:User_Lead:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:bacula:r-x
default:group::---
default:group:sambaguests:rwx
default:group:User_Standard:rwx
default:group:User_Lead:rwx
default:mask::rwx
default:other::---

Is it a bug ? because default ACLs are applied if I copy files. So Why 
different behavior between directory and files ?
I noticed that it happened only to local directories which belong to 
MYDOMAIN\user.  If the owner of the local directory is 
LOCALCOMPUTER\user the default ACLs is applied correctly. But once 
again, it concerns only directory. When the file belong to MYDOMAIN\user 
ACLs are applied correctly.

All what I want is that default ACLs are applied all the time whatever 
the owner of local directory.

I try to play with "directory security mask", "force directory
security
mode", inherit permissions without success.
Thank you for your help, I really don't know what to do.

My smb.conf looks like that :

# 
-----------------------------------------------------------------------------
# Global parameters
# 
-----------------------------------------------------------------------------
[global]
        dos charset = 850
        unix charset = ISO8859-1
        workgroup = elb-lyon
        netbios name = server02
        server string = server02.elb-lyon
        os level = 65
        domain logons = Yes
        domain master = Yes
        local master = Yes
        preferred master = Yes
        wins support = Yes

        obey pam restrictions = Yes
        passdb backend = tdbsam, guest
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*UNIX*password* %n\n 
*ReType*new*UNIX*password* %n\n 
*passwd:*all*authentication*tokens*updated*successfully*
        passwd chat debug = Yes
        pam password change = Yes
        unix password sync = Yes

        syslog = 0
        log level = 2
        # log level max = 10
        log file = /var/log/samba/log.%m
        max log size = 25600
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        invalid users = root2

        # param?tres samba utilisateur par defaut
        logon drive = P:
        logon home = \\server02\%U
        logon path = \\server02\profiles\%U
        logon script = %U.cmd

        # gestion des comptes posix automatique :)
        # Gestion des comptes POSIX
        add machine script = /usr/sbin/useradd -g sambamachines -c 
Machine -d /dev/null -s /bin/false '%u'
        add user script = /usr/sbin/useradd -g sambausers -c Utilisateur 
-d /dev/null -s /bin/false '%u'
        add group script = /usr/sbin/groupadd '%g'
        add user to group script = /usr/bin/gpasswd -a '%u' '%g'
        delete user script = /usr/sbin/userdel -r '%u'
        delete group script = /usr/sbin/groupdel '%g'
        delete user from group script = /usr/bin/gpasswd -d '%u'
'%g'
        set primary group script = /usr/sbin/usermod -g '%g'
'%u'

        veto files = /lost+found/ .recycle/ aquota.user/ aquota.group/

        guest account = guest

        hosts allow = 192.168.0. 127.

# 
-----------------------------------------------------------------------------
# Necessaire Domaine
# 
-----------------------------------------------------------------------------
[homes]
        path = /mnt/SAN01/vd3_home2/home2/%u
        comment = Home Directories
        valid users = %S
        guest ok = No
        writable = Yes
        create mask = 0700
        directory mask = 0700
        browseable = No

[netlogon]
        path = /mnt/SAN01/vd3_home2/netlogon
        comment = Partage NetLogon
        valid users = @sambausers @sambaguests root
        guest ok = No
        read only = Yes
        browseable = No

[profiles]
        path = /mnt/SAN01/vd3_home2/profiles
        comment = Profils utilisateurs
        valid users = @sambausers @sambaguests root
        guest ok = No
        writable = Yes
        create mode = 0700
        browseable = No

# 
-----------------------------------------------------------------------------
# Partages
# 
-----------------------------------------------------------------------------
[vd1_echange]
        comment = Zone d'echange.
        path = /mnt/SAN01/vd1_echange
        valid users = root @sambaadmins @sambaguests @User_Standard
        guest ok = No
        writable = Yes
        create mask = 0770
        directory mask = 0770
        browseable = yes
        # inherit permissions = yes
        inherit acls = yes
        hide unreadable = Yes
        # directory security mask = 0000
        # force directory security mode = 0777



-- 
Sylvain DAVID / administrateur r?seau

         adr : Etranges Libellules
  .~.          17 Rue des Archers
  /v\          69002 LYON
 /(?)\   tel : 04 72 40 24 72
 ^^-^^   fax : 04 72 40 27 19

  www.etranges-libellules.fr
                                   --

Hi,

I sent an email on the mailing list of bestsbits 
(http://acl.bestbits.at/pipermail/acl-devel/2006-July/001980.html) 
because if nobody answer on this mailing list , it's probably directly 
linked to ACLs?
But, I really don't know if the problem is only with bestsbits or only 
with samba because I can reproduce the bug only in samba, not in 
console. So this bug seems to be linked to samba ?

Am I the only one who would like to use ACLs ? Are there any other 
solution to have a fine grained access rules which works with samba? 
(like trustees)
because if default ACLs don't works, I think using ACLs is a no sense.

For the while - hopping sometime this bug will be fix -  I use a dirty 
script run by cron which check & fix ACLs.
I know it's dirty... but I have I any other choice ?

I give up with this mistery. I'm too tired.

sylvain.david@etranges-libellules.fr a ?crit :
> Hi,
>
> I use samba 3.0.22 as PDC on Debian with workstations under windows XP 
> SP1 and SP2.
> I use ACLs to have a fine grained access rules.
>
> When I copy a directory from a client to a samba share, default ACLs 
> are forgiven.
> exemple : after I copy the directory A on the samba share :
> getfacl A/
> # file: A/
> # owner: user1
> # group: sambausers
> user::rwx
> group::---
> other::---
> default:user::rwx
> default:group::---
> default:other::---
>
> But the parent directory has default ACLs, I can prove it :
> getfacl .
> # file: .
> # owner: user1
> # group: sambausers
> user::rwx
> user:root:rwx
> user:bacula:r-x
> group::---
> group:sambaguests:rwx
> group:User_Standard:rwx
> group:User_Lead:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:bacula:r-x
> default:group::---
> default:group:sambaguests:rwx
> default:group:User_Standard:rwx
> default:group:User_Lead:rwx
> default:mask::rwx
> default:other::---
>
> Is it a bug ? because default ACLs are applied if I copy files. So Why 
> different behavior between directory and files ?
> I noticed that it happened only to local directories which belong to 
> MYDOMAIN\user.  If the owner of the local directory is 
> LOCALCOMPUTER\user the default ACLs is applied correctly. But once 
> again, it concerns only directory. When the file belong to 
> MYDOMAIN\user ACLs are applied correctly.
>
> All what I want is that default ACLs are applied all the time whatever 
> the owner of local directory.
>
> I try to play with "directory security mask", "force
directory
> security mode", inherit permissions without success.
> Thank you for your help, I really don't know what to do.
>
> My smb.conf looks like that :
>
> # 
>
-----------------------------------------------------------------------------
>
> # Global parameters
> # 
>
-----------------------------------------------------------------------------
>
> [global]
>        dos charset = 850
>        unix charset = ISO8859-1
>        workgroup = elb-lyon
>        netbios name = server02
>        server string = server02.elb-lyon
>        os level = 65
>        domain logons = Yes
>        domain master = Yes
>        local master = Yes
>        preferred master = Yes
>        wins support = Yes
>
>        obey pam restrictions = Yes
>        passdb backend = tdbsam, guest
>        passwd program = /usr/bin/passwd %u
>        passwd chat = *New*UNIX*password* %n\n 
> *ReType*new*UNIX*password* %n\n 
> *passwd:*all*authentication*tokens*updated*successfully*
>        passwd chat debug = Yes
>        pam password change = Yes
>        unix password sync = Yes
>
>        syslog = 0
>        log level = 2
>        # log level max = 10
>        log file = /var/log/samba/log.%m
>        max log size = 25600
>        dns proxy = No
>        panic action = /usr/share/samba/panic-action %d
>        invalid users = root2
>
>        # param?tres samba utilisateur par defaut
>        logon drive = P:
>        logon home = \\server02\%U
>        logon path = \\server02\profiles\%U
>        logon script = %U.cmd
>
>        # gestion des comptes posix automatique :)
>        # Gestion des comptes POSIX
>        add machine script = /usr/sbin/useradd -g sambamachines -c 
> Machine -d /dev/null -s /bin/false '%u'
>        add user script = /usr/sbin/useradd -g sambausers -c 
> Utilisateur -d /dev/null -s /bin/false '%u'
>        add group script = /usr/sbin/groupadd '%g'
>        add user to group script = /usr/bin/gpasswd -a '%u'
'%g'
>        delete user script = /usr/sbin/userdel -r '%u'
>        delete group script = /usr/sbin/groupdel '%g'
>        delete user from group script = /usr/bin/gpasswd -d '%u'
'%g'
>        set primary group script = /usr/sbin/usermod -g '%g'
'%u'
>
>        veto files = /lost+found/ .recycle/ aquota.user/ aquota.group/
>
>        guest account = guest
>
>        hosts allow = 192.168.0. 127.
>
> # 
>
-----------------------------------------------------------------------------
>
> # Necessaire Domaine
> # 
>
-----------------------------------------------------------------------------
>
> [homes]
>        path = /mnt/SAN01/vd3_home2/home2/%u
>        comment = Home Directories
>        valid users = %S
>        guest ok = No
>        writable = Yes
>        create mask = 0700
>        directory mask = 0700
>        browseable = No
>
> [netlogon]
>        path = /mnt/SAN01/vd3_home2/netlogon
>        comment = Partage NetLogon
>        valid users = @sambausers @sambaguests root
>        guest ok = No
>        read only = Yes
>        browseable = No
>
> [profiles]
>        path = /mnt/SAN01/vd3_home2/profiles
>        comment = Profils utilisateurs
>        valid users = @sambausers @sambaguests root
>        guest ok = No
>        writable = Yes
>        create mode = 0700
>        browseable = No
>
> # 
>
-----------------------------------------------------------------------------
>
> # Partages
> # 
>
-----------------------------------------------------------------------------
>
> [vd1_echange]
>        comment = Zone d'echange.
>        path = /mnt/SAN01/vd1_echange
>        valid users = root @sambaadmins @sambaguests @User_Standard
>        guest ok = No
>        writable = Yes
>        create mask = 0770
>        directory mask = 0770
>        browseable = yes
>        # inherit permissions = yes
>        inherit acls = yes
>        hide unreadable = Yes
>        # directory security mask = 0000
>        # force directory security mode = 0777
>
>
>
-- 
Sylvain DAVID / administrateur r?seau

         adr : Etranges Libellules
  .~.          17 Rue des Archers
  /v\          69002 LYON
 /(?)\   tel : 04 72 40 24 72
 ^^-^^   fax : 04 72 40 27 19

  www.etranges-libellules.fr
                                   --